Certified Information Systems Security Professional (cissp) Domain “access control”
1. Certified Information
Systems Security
Professional (cissp) Report paper
Domain “access
control”
Supervised by instructor dogus sarica
prepared by zaid dawad al-rustom
(20112465)
2. Certified Information Systems Security Professional (cissp)
Domain “access control”
Definitions
First thing I will present some definitions about Certified Information Systems
Security Professional (cissp), Certified Information Systems Security
Professional (CISSP) is an independent information security certification governed by
International Information Systems Security Certification Consortium also known as
(ISC) ².
As of November 2012, (ISC)² reports 84,596 members hold the CISSP certification
worldwide, in143countries. InJune2004,
theCISSPhasobtainedaccreditationby ANSI ISO/IECStandard17024:2003 accreditatio
n. It is also formally approved by the U.S. Department of Defense (DoD) in both their
Information Assurance Technical (IAT) and Managerial (IAM) categories for
their DoDD 8570 certification requirement. The CISSP has been adopted as a baseline
for the U.S. National Security Agency's ISSEP program.
My definition it is an international certificate depends on it to secure the data in
computers, made by a specialist computer security programmer group to provide a
standard security certificate, the main advantage from this is to put many computer
security laws and ethical rules prevent us against internet information crimes.
The 10 Domains:
1. Security Management Practices
2. Access Control Systems & Methodology
3. Law, Investigations, Ethics
4. Physical Security
5. Business Continuity & Disaster Recovery Planning
6. Security Architecture & Models
7. Cryptography
8. Telecommunications & Network Security
9. Applications & Systems Development
10. Operations Security.
3. Access control
"The first line of defense"
Some attacks
let's look at some of the different attacks on passwords there simply is called the
dictionary attack brute force attacked or a combination would call a hybrid attack first
of all the dictionary type what is a dictionary attack ,first of all password is not a
password and clear text in the file on your computer it's a hash of the password so
dictionary attacked basically takes every word in the dictionary creates ahead and
then compares the hash with the file on the computer and I think it's a match that it
looks back at the word it used to create that action and password a brute force
attacked as just that if tries all possible combinations in order to get your hash or
create your password,
This type force attacked well always succeed online it literally prize all of those trust
every possible combination where some of the things that you can do to mitigate
those attacks well, first of all the obvious one is don't send your passwords clear text,
or don't use common words dictionary words.
There are some tools out there Satan being one of them that you can use to look at
that password checkers, to see how secure they are identifies those that are weak and
then simply change those.
Access control administration
The organization has to decide access control model they're going to implement
where there is going to be DAC or MAC whatever they can be used expect to find
that in the security policy then the technologies and techniques that are going to
support that model need to be identified and they need to be put in place the standards
need to be developed policies they develop the procedures need to be developed and
put in place and then the next question they have to answer is how are we going to
manages? are we going to any centrally one central location is going to handle
everything that might work for small organization but when you get into a large
4. organization particularly multinational or international or even across many country, a
centralized approach may not be the best solution for you and you may want to
decentralize you may only want to decentralize a portion of that to someone that
would refer to as the hybrid approach were let's say you centrally manage the network
with them for local printers for local file shares you centralize that at that particular
location so much use a hybrid approach
for the management of that par for the administration of that when we talk about the
centralized access control we have one into the wanted location that is making the
decision with regarding access senior management has to decide that has to be defined
in the security policy data owner makes the ultimate decision in senior management
besides what they're going to have in place in order to support that are they going to
use something like radiance or attack exploits or the new version of a radius diameter
as their centralized access control the words you've got one location that location is
controlling access for everybody .
Centralized access control
I will give an example to discuss centralized access control It is a handshaking
protocol that allows that radius server to provide the authentication authorization
information to the networks server and radius client we dialing we access that radius
server directly certain server will contain a database of users and credentials, that
radius server may have be configured to give you access to another leader a
lightweight directory access protocol server that has the credentials on it for example
radius server could be configured to access active directory and windows and provide
that database abusers and credentials and then there needs to be communication
between the radius client and the server in that communication needs to be protected ,
the user initiates that point-to-point protocol authentication with the provider the
radius client than prompts the user for their credentials user types and the user id
password , than checks those credentials either locally in its own database or against
the act let's say active directory to this and then says back here in accept or reject or it
may send a challenge response back and if successful then radius will allow the client
access to the network so you can get there on the network and do whatever you want
to.
5. Access control methodologies
Administrative:
Group membership
Time of day
Transaction type
The methodologies for access control administrative technical and physical
with administrative the group membership or group remember off
what time of day or transaction type so from an administrative methodology we can
restrict access to data based on time today payroll files are not accessed Sunday
morning at 3:00am time of day or transaction type you're not allowed to do a
transaction type equipment to do leading the database table administrative access
control methodologies.
Technical access control
Directory service
Network architecture
Network access
Encryption
Auditing
Directory service
The technical layer of access control what are the techno classics access controls
we've already mentioned directory service but the way that you architect the network
also can be an access control and that's technical?
the network access as a technical control as his encryption and let me point out one
thing auditing is a technical access control audit logs our technical controls because
that tracks activity of the users and systems it’s not preventative it can't prevent
someone from accessing but it helps an administrator system administrator understand
how the access to a place so in the future they can make changes, for directory
services there are different types all of the x.500, LDAP, network directory services,
and active directory all of those four different types of directory services and all of
those are technical controls which directory services I saw published there except
6. x.500 which is the lightweight directory access protocol which basically adapts the
directory to work over TCPIP.
Network architecture
Where you place firewalls for example you may have an internal network with in
your trusted network let's say that that's just for the top secret data and you put up our
wall in front of that top secret data portion of your network to block it so basically
what you're doing is you're architecting network to control access you put a DMZ
place you put your bastion host servers that you've removed all the extra services
imports from in a DMZ the firewall front of the DMZ you put the firewall after the
DMZ how you architect the network is going to control? Who has access? And who
can get here?
Physical layer
Network segregation
Perimeter security
Computer controls
Work area separation
cabling
Access control of the physical controls network segregation, perimeter security,
computer controls, work area separation, and cable.
network segregationist just that you can physically separate the network you can
logically separate the network physically separated so that the wiring one set a routers
one set of switches physically separated from other parts of the network are logically
with virtual LAN’s with primary security you've got those that locks on the doors man
perhaps to get into the building guards all of those are physical security controls.
Computer controls like a lock on your laptop so you lock it to your desk so people
can't walk off on with it for those of you better under the requirement that you can't
use the USB ports a physically removing them from the device or putting a proxy into
that so you can’t put the USB device into that slot because the slots been filled up
with the proxy those are all types of computer controls and then were curious
separation I have one client the state agency
7. who has direct connection with a federal agency they're both in the same physical
building on the same floor but you have to go through the state agency to get to the
back of the room to another private door that only the federal employees are allowed
to go through and they have their own internal men trapped in order to get into the
federal area to me that's work area separation and then cabling actually keeping the
cables separate. Those are all types of physical layer or physical controls networks.
Identification and Authentication
Identification and authentication are the keystones of most access control systems.
Identification is the act of a user professing an identity to a system, usually in the
form of a log-on ID to the system. Identification establishes user accountability for
the actions on the system. Authentication is verification that the user’s claimed
identity is valid and is usually implemented through a user password at log-on time.
Authentication is based on the following three factor types:
1. Something you know, such as a PIN or password
2. Something you have, such as an ATM card or smart card
3. Something you are (physically), such as a fingerprint or retina scan
Passwords
Passwords can be compromised and must be protected. In the ideal case, a
password should only be used once. This “one-time password” provides
maximum security because a new password is required for each new log-on. A
password that is the same for each log-on is called a static password. A password
that changes with each log-on is termed a dynamic password. The changing of
passwords can also fall between these two extremes. Passwords can be required
to change monthly, quarterly, or at other intervals, depending on the criticality of
the information needing protection and the password’s frequency of use.
Obviously, the more times a password is used, the more chance there is of it
being compromised. A passphrase is a sequence of characters that is usually
longer than the allotted number for a password. The passphrase is converted into
a virtual password by the system.
8. Biometrics
An alternative to using passwords for authentication in logical or technical
access control is biometrics. Biometrics are based on the Type 3 authentication
mechanism something you are. Biometrics are defined as an automated means of
identifying or authenticating the identity of a living person based on
physiological or behavioral characteristics. In biometrics, identification is a
“one-to-many” search of an individual’s characteristics from a database of stored
images. Authentication in biometrics is a “one to- one” search to verify a claim
to an identity made by a person. Biometrics is used for identification in physical
controls and for authentication in logical controls.
The following are typical biometric characteristics that are used to uniquely
authenticate an individual’s identity:
Fingerprints
Retina scans
Iris scans
Facial scans
Palm scans
Hand geometry
Voice
Handwritten signature dynamics
Single Sign-On (SSO)
Single Sign-On (SSO) addresses the cumbersome situation of logging on
multiple times to access different resources. A user must remember numerous
passwords and IDs and may take shortcuts in creating passwords that may be
open to exploitation. In SSO, a user provides one ID and password per work
session and is automatically logged-on to all the required applications. For SSO
security, the passwords should not be stored or transmitted in the clear. SSO
applications can run either on a user’s workstation or on authentication servers.
The advantages of SSO include having the ability to use stronger passwords,
easier administration of changing or deleting the passwords, and requiring less
time to access resources. The major disadvantage of many SSO implementations
9. is that once a user obtains access to the system through the initial logon, the user
can freely roam the network resources without any restrictions.
Conclusion
We talked about that you could have physical or you can have logical of virtual land
let's say for top secret of virtual for secret and in a virtual for public information or for
unclassified data. I am going to conclude this subject on access control, we've talked
about access control as being the first line of defense we've talked about how people
access data and the resources that go along to make that happen the main goal is to
protect resource from unauthorized access. the models discretionary access control
mandatory access control role based access control and rule based access control and
then whether you want to manage access control either centrally
or decentralized or whether you want to use a hybrid approach we talked about the
fact that controls can be administrative physical or technical controls and that
regardless of whether they're administrative physical or technical those controls can
give you preventative detective and recovery services I hope you've enjoyed this
article about access control and I look forward to seeing you again hoca for next
semester and excuse me for my English language errors
Reference:
1. http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Pro
fessional
2. http://www.ntgtraining.com/courses/courses_cissp_cbk_10.html
3. The CISSP Prep Guide—Mastering the Ten Domains of Computer
Security Ronald L. Krutz Russell Dean Vines Wiley Computer Publishing
John Wiley & Sons, Inc.